[keycloak-user] Is it possible to use a non Keycloak client to call a Keycloak secured Rest services?

Bill Burke bburke at redhat.com
Tue Jul 15 16:15:04 EDT 2014 

You should create a new oauth client.  Add the scope you want for it. 
Change your code to use your new oauth client.

It is not magic.  Here's an explanation:

* "client" are not the same thing as "users".  Clients are devices or 
servers that are requesting an access token for a specific users.
* "scope" are the roles a "client" is allowed to ask for.
* Access token contains role mappings from the union of the user's role 
mappings (the user's permissions) and the client's scope (roles the 
client is allowed to access for a user).

Make sense?

On 7/15/2014 4:05 PM, Christina Lau wrote:
> The code is the same as the AdminClient you pointed me to. However, I
> just try something based on what you said. In the admin-client oauth
> client, I went to Scope Mappings and added user role (which is the
> security role for the rest services). Now it works. Does this sound
> right to you? Seems magical...
>
> On Jul 15, 2014, at 3:48 PM, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
>> Please elaborate on your code to obtain a token.  Your client (not
>> user) may not have the scope you need and the token may not be getting
>> set with the desired role mappings.
>>
>> On 7/15/2014 3:15 PM, Christina Lau wrote:
>>> Hi Bill, further to last comment, i.e. although I can get the token,
>>> when I use it to call the same Rest service, I am getting 403 instead.
>>>
>>> I don’t know if this helps or not, but I have also noticed that the
>>> console produced different output:
>>>
>>> *Using non-keycloak client (Did not work - get 403)*
>>>
>>> 15:05:28,228 INFO  [org.keycloak.services.resources.TokenService]
>>> (default task-1) no authorization header
>>> 15:05:28,345 INFO  [org.keycloak.audit] (default task-1) event=LOGIN,
>>> realmId=ab9527ff-1dbe-4ce1-934c-ee2e1057d8b7, clientId=admin-client,
>>> userId=58cfb6e9-9ff8-45a8-98bb-3a26b341b783, ipAddress=127.0.0.1,
>>> username=roger at mailinator.com
>>> <mailto:username=roger at mailinator.com><mailto:username=roger at mailinator.com>,
>>> response_type=token, auth_method=oauth_credentials,
>>> refresh_token_id=3730424f-a718-4be8-a9fc-a090e5932564,
>>> token_id=dd1bfeaa-54b1-4824-a6fe-d14eb1ae6f97
>>> 15:05:28,547 INFO  [org.keycloak.adapters.RequestAuthenticator] (default
>>> task-2) --> authenticate()
>>> 15:05:28,548 INFO  [org.keycloak.adapters.RequestAuthenticator] (default
>>> task-2) try bearer
>>> 15:05:28,566 INFO
>>>  [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (default
>>> task-2) checking whether to refresh.
>>> 15:05:28,566 INFO
>>>  [org.keycloak.adapters.undertow.KeycloakUndertowAccount] (default
>>> task-2) use realm role mappings
>>> 15:05:28,571 INFO
>>>  [org.keycloak.adapters.wildfly.WildflyRequestAuthenticator] (default
>>> task-2) propagate security context to wildfly
>>> 15:05:28,571 INFO  [org.keycloak.adapters.RequestAuthenticator] (default
>>> task-2) Bearer AUTHENTICATED
>>>
>>>
>>> *Using keycloak app (similar to customer-cli sample) Work*
>>>
>>> 15:06:30,254 INFO  [org.keycloak.services.resources.TokenService]
>>> (default task-1) createLogin() now...
>>> 15:06:39,965 INFO  [org.keycloak.audit] (default task-2) event=LOGIN,
>>> realmId=ab9527ff-1dbe-4ce1-934c-ee2e1057d8b7, clientId=hellokeycloak,
>>> userId=58cfb6e9-9ff8-45a8-98bb-3a26b341b783, ipAddress=127.0.0.1,
>>> username=roger at mailinator.com
>>> <mailto:username=roger at mailinator.com><mailto:username=roger at mailinator.com>,
>>> response_type=code, redirect_uri=http://localhost:59999,
>>> auth_method=form,
>>> code_id=bd10d4cc-9f99-42df-b984-b92093f5a6af1405451199946
>>> 15:06:39,966 INFO
>>>  [org.keycloak.services.managers.AuthenticationManager] (default
>>> task-2) createLoginCookie
>>> 15:06:39,966 INFO
>>>  [org.keycloak.services.managers.AuthenticationManager] (default
>>> task-2) createIdentityToken
>>> 15:06:40,092 INFO  [org.keycloak.services.resources.TokenService]
>>> (default task-3) no authorization header
>>> 15:06:40,119 INFO  [org.keycloak.audit] (default task-3)
>>> event=CODE_TO_TOKEN, realmId=ab9527ff-1dbe-4ce1-934c-ee2e1057d8b7,
>>> clientId=hellokeycloak, userId=58cfb6e9-9ff8-45a8-98bb-3a26b341b783,
>>> ipAddress=127.0.0.1,
>>> refresh_token_id=476b2f86-3df4-4cf6-8d51-55aa70264346,
>>> code_id=bd10d4cc-9f99-42df-b984-b92093f5a6af1405451199946,
>>> token_id=be0358ab-2c28-4bdc-a95c-681b63095217
>>> 15:06:46,567 INFO  [org.keycloak.adapters.RequestAuthenticator] (default
>>> task-4) --> authenticate()
>>> 15:06:46,568 INFO  [org.keycloak.adapters.RequestAuthenticator] (default
>>> task-4) try bearer
>>> 15:06:46,584 INFO
>>>  [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (default
>>> task-4) checking whether to refresh.
>>> 15:06:46,584 INFO
>>>  [org.keycloak.adapters.undertow.KeycloakUndertowAccount] (default
>>> task-4) use realm role mappings
>>> 15:06:46,589 INFO
>>>  [org.keycloak.adapters.wildfly.WildflyRequestAuthenticator] (default
>>> task-4) propagate security context to wildfly
>>> 15:06:46,590 INFO  [org.keycloak.adapters.RequestAuthenticator] (default
>>> task-4) Bearer AUTHENTICATED
>>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com <http://bill.burkecentral.com/>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-user mailing list